From fef3c237f143c04b9cd5067ca57b083e2e8a989c Mon Sep 17 00:00:00 2001 From: pax Date: Sat, 11 Apr 2026 16:22:34 -0500 Subject: [PATCH] =?UTF-8?q?security:=20fix=20#9=20=E2=80=94=20add=20upper?= =?UTF-8?q?=20bounds=20on=20runtime=20dependencies?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous floors-only scheme would let a future `pip install` pull in any new major release of httpx, Pillow, PySide6, or python-mpv — including ones that loosen safety guarantees we depend on (e.g. Pillow's MAX_IMAGE_PIXELS, httpx's redirect-following defaults). Caps each at the next major version. Lock-file generation is still deferred — see TODO.md for the follow-up (would require adding pip-tools as a new dev dep, out of scope for this branch). Audit-Ref: SECURITY_AUDIT.md finding #9 Severity: Low --- pyproject.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 5a6357c..aeff8b9 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -8,10 +8,10 @@ version = "0.2.5" description = "Local booru image browser with Qt6 GUI" requires-python = ">=3.11" dependencies = [ - "httpx>=0.27", - "Pillow>=10.0", - "PySide6>=6.6", - "python-mpv>=1.0", + "httpx>=0.27,<1.0", + "Pillow>=10.0,<12.0", + "PySide6>=6.6,<7.0", + "python-mpv>=1.0,<2.0", ] [project.scripts]